This Hot Patch, build #91941, includes a small set of fixes that have been reported by customers since we released GroupWise 8.0.2 in July. These fixes are across all GroupWise components, but are more concentrated in the agents in order to provide greater stability and reliability. This Hot Patch also includes fixes that further support our Novell Data Synchronizer product and its Mobility solution. There are roughly 14 changes that further add to the functionality of our ActiveSync solution. For the best Mobility experience, we recommend rolling out this Hot Patch and the Mobility update that released a few weeks ago. See blog: GroupWise: Mobility Pack Update Available! / BES 5.0.1 Available!

Security Alert

This Hot Patch also includes fixes that address a few security issues. Details about these security fixes are provided below. This Hot Patch is available to all GroupWise customers with current maintenance. Internal alerts to all sales, technical, field and support personnel and newsgroups and lists were done on Friday. Please note: These fixes are only available for GroupWise 8. For those customers still using previous versions of GroupWise, we recommend upgrading and taking advantage of not only the great features of our latest versions, but also the added security, reliability and mobility solutions.

The GroupWise Internet Agent has a vulnerability in its IMAP component that could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA where IMAP services are enabled. Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.Related TID:7007151
Novell bug 647519

The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses multiple values within the “Content-Type” header of a received message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA. Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.Related TID:7007152
Novell bug 642336

The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses string data within the “Content-Type” header of a received message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA. Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.Related TID:7007153
Novell bug 647757

The GroupWise Internet Agent (GWIA) has a vulnerability in the way that it parses numbers within the “Content-Type” header of a received message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA. Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.Related TID:7007154
Novell bug 642338

The GroupWise Internet Agent (GWIA) has multiple vulnerabilities in the way that it parses variables within a received VCALENDAR message, which could potentially allow an unauthenticated remote attacker to execute arbitrary code on vulnerable installations of GWIA. Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.Related TID:7007155
Novell bugs 642339, 642345, 642349

The GroupWise WebAccess Agent and Document Viewer Agent are vulnerable to an exploit that could potentially allow arbitrary files to be downloaded from the server. Authentication is not required to exploit this vulnerability.Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their WebAccess servers and associated Domains to version 8.02HP in order to secure their system.Related TID:7007156
Novell bugs 638644, 638646

The GroupWise Internet Agent has a vulnerability that could potentially allow an authenticated user to execute arbitrary code on vulnerable installations of GWIA where IMAP services are enabled.Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GWIAs and associated Domains to version 8.02HP in order to secure their system.Related TID:7007157
Novell bug 635294

The WebPublisher component of GroupWise WebAccess is vulnerable to a potential Cross-Site Scripting (XSS) exploit that could potentially be used to redirect users to a malicious website.Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their WebPublisher servers and associated Domains to version 8.02HP in order to secure their system.Related TID:7007158
Novell bug 651159

The HTTP interfaces for the GroupWise agents (Message Transfer Agent, Post Office Agent, Internet Agent, WebAccess Agent, Monitor Agent) are vulnerable to an exploit that could allow a remote attacker to execute arbitrary code on vulnerable installations of Novell Groupwise. Authentication is not required to exploit this vulnerability.Affected versions: GroupWise 8.0x, 8.01x, 8.02. Previous versions of GroupWise are likely also vulnerable but are no longer supported. Customers on earlier versions of GroupWise should, at a minimum, upgrade their GroupWise systems to version 8.02HP (or disable the GroupWise Agents’ HTTP interfaces) in order to secure their system.Related TID:7007159
Novell bug 627942

We recommend you deploy the Hot Patch to ensure your system has all currently available fixes.

As stated in previous blog posts:

“Novell and GroupWise take every security report very seriously. We want our community to be well informed and well protected. GroupWise is very reliable and we know that our customers expect it to be the very best.

We do stress – All security issues should be taken seriously and patches applied.
Please follow Best Practices guidelines for updating your system when applying this patch.”

For a list of the issues resolved in this Hot Patch, please refer to the release notes, which can be found as part of the download.

FYI: We continue to make great progress on Ascot. We have another internal demo scheduled for next week. I will blog about the progress and the updated schedule after that demo – this will be our 4th internal demo.

Blog with you soon!

Dean

(1 votes, average: 5.00 out of 5)You need to be a registered member to rate this post.

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

4 Comments

Let me guess the client install still sucks, so in order to get this patched client on 1200 systems is to Uninstall GW7 client, run a third party GW clean-it utility, and hope that the GW tuner actually does disable software integration.

Even the basic 802 client installation with ZCM / Win7 machines had issues when doing any custom settings (language, integrations..), our Zen team had to tweak it pretty much..
so much time spent on such basic things ;-(

There have not been any specific changes to this component in the Hot Patch. It seems we continue to struggle in this area. We have provided multiple methods for rolling out the Windows Client, but it does not appear to have satisfied all of our administrators.

This reply is actually a reply sent to Novell Support via our PSE 18 months ago. It refers to GW 7.x but the client install of GW8.x Has has the same problem. Basically the Novell client engineers to not know enought about MSI/InstallShield to use MSP.

Read this….
====================================================
MSI file that gets published in the Download section of Novell’s site
when a new update is released (as small as 7.0.3 HP2 to 7.0.3 HP3, for
example).

For rolling out new versions of GroupWise, we take the MSI supplied by
Novell and push it using an Application Object (along with some MSTs
to
configure some basic settings). Unfortunately, unlike most vendors
(Adobe, etc), when Novell releases a minor update (eg. HP2 -> HP3),
they
only release a whole new MSI and no MSP file. This means we have to
reinstall the whole MSI each time. Also, we have a few custom user
settings that we want to keep, so for us a typical update process
looks
like this:

This introduces a lot of work and testing on our end (have to test all
the uninstalls and installs, make sure integration with certain apps
is
kept after the reinstall, etc). Instead, if Novell could provide a
small
MSP file that contains the changes (the 5-10 new DLLs and reg keys or
whatever it is changed; in fact this is exactly what MSP files were
designed for), then our update process would look like this:

– add the 7.0.3 HP3 MSP to our GroupWise install app object
– increment the version number for the app object
– at the next refresh, they would get the MSP and their client would
now be up to date!

Adobe and a few other vendors do this and we’re hoping Novell could do
the same, as it makes all security updates a breeze. Creating an MSP
file is very quick and simple, so it really shouldn’t add a lot of
work
on your end. We thought about figuring out the changes ourselves and
then creating our own MSP, but we’d like to stick to ‘official’
downloads as much as possible.

Finally, a note from the member of my team who has packaged the last
few GW clients:
Usually a golden rule with MSI it to never use the same version number
(such as 7.0.3) when you release a MSI to the public. If the changes
were not big enough to justify a new revision (7.0.4 or 7.1 for
instance) then you should create a MSP file instead. I’m saying this
because, besides looking at the .exe build number, there is no way in
the MSI to know which exact version it is. It makes no sense
uninstalling the whole product, then installing it again to still be
at
7.0.3 (which is your MSI’s default action)! Even when looking in
Zenworks Asset Inventory, I see that I have 1300 GW 7.0.3 deployed,
but
I don’t know if it’s the original, HP1, HP2 or HP3 flavor. Then again
it would not really matter if I was always pushing the same base MSI
with additionnal MSP’s.
======================================================

The answer we got back then was that it might be addressed in ………….GW 9.x !!!!!!!!!!!!